Threat Roundup for January 17 to January 24
Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Jan. 17 and Jan. 24. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.
For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found herethat includes the complete list of file hashes, as well as all other IOCs from this post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicated maliciousness.
The most prevalent threats highlighted in this roundup are:
| Threat Name | Type | Description |
|---|---|---|
| Win.Packed.TrickBot-7541396-1 | Packed | Trickbot is a banking trojan targeting sensitive information for certain financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB scripts. |
| Win.Dropper.Qakbot-7541405-1 | Dropper | Qakbot, aka Qbot, has been around since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB. |
| Win.Packed.Nymaim-7542552-1 | Packed | Nymaim is malware that can be used to deliver ransomware and other malicious payloads. It uses a domain generation algorithm to generate potential command and control (C2) domains to connect to additional payloads. |
| Win.Malware.Azorult-7541464-1 | Malware | Azorult is a banking trojan that attempts to steal credit card data and other sensitive information to facilitate cybercrime. |
| Doc.Malware.Emotet-7544675-1 | Malware | Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a wide variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails. |
| Win.Worm.Vobfus-7541859-0 | Worm | Vobfus is a worm that copies itself to external drives and attempts to gain automatic code execution via autorun.inf files. It also modifies the registry so that it will launch when the system is booted. Once installed, it attempts to download follow-on malware from its command and control (C2) servers. |
| Win.Trojan.XpertRAT-7550253-1 | Trojan | XpertRAT is a remote access trojan that provides an attacker with the ability to access an infected machine remotely and has the ability to steal sensitive information like usernames and passwords. XpertRAT has been around since 2011 and consists of a core component and multiple modules, all written in Delphi. |
| Win.Trojan.Upatre-7549404-0 | Trojan | Upatre is a malicious downloader often used by exploit kits and phishing campaigns. Upatre downloads and executes malicious executables, such as banking malware. |
| Win.Packed.Passwordstealera-7544289-0 | Packed | This malware has the ability to harvest stored credentials, keystrokes, screenshots, network activity, and more from computers where the software is installed. |
Threat Breakdown
Win.Packed.TrickBot-7541396-1
Indicators of Compromise
| Registry Keys | Occurrences |
|---|---|
| `<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 | |
| Value Name: Blob ` | 7 |
| `<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\PROFILELIST\S-1-5-21-2580483871-590521980-3826313501-500 | |
| Value Name: RefCount ` | 2 |
| `<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES\75E0ABB6138512271C04F85FDDDE38E4B7242EFE | |
| Value Name: Blob ` | 1 |
| Mutexes | Occurrences |
| — | — |
Global\316D1C7871E10 |
40 |
| IP Addresses contacted by malware. Does not indicate maliciousness | Occurrences |
| — | — |
95[.]181[.]198[.]151 |
24 |
79[.]174[.]12[.]245 |
22 |
195[.]123[.]240[.]81 |
16 |
185[.]62[.]188[.]83 |
12 |
181[.]140[.]173[.]186 |
10 |
5[.]182[.]210[.]109 |
10 |
185[.]99[.]2[.]149 |
10 |
85[.]143[.]219[.]230 |
10 |
23[.]95[.]231[.]187 |
10 |
176[.]119[.]159[.]204 |
9 |
198[.]23[.]209[.]201 |
8 |
5[.]2[.]76[.]122 |
8 |
146[.]185[.]219[.]31 |
8 |
198[.]8[.]91[.]10 |
6 |
92[.]63[.]105[.]138 |
6 |
5[.]182[.]211[.]44 |
6 |
164[.]68[.]120[.]60 |
5 |
181[.]129[.]104[.]139 |
4 |
51[.]89[.]73[.]159 |
4 |
216[.]239[.]38[.]21 |
3 |
181[.]113[.]28[.]146 |
3 |
176[.]58[.]123[.]25 |
2 |
116[.]203[.]16[.]95 |
2 |
52[.]44[.]169[.]135 |
2 |
52[.]55[.]255[.]113 |
2 |
*See JSON for more IOCs
| Domain Names contacted by malware. Does not indicate maliciousness | Occurrences |
|---|---|
teene[.]site |
6 |
checkip[.]amazonaws[.]com |
4 |
api[.]ipify[.]org |
3 |
ipinfo[.]io |
3 |
ident[.]me |
2 |
ip[.]anysrc[.]net |
2 |
api[.]ip[.]sb |
2 |
ipecho[.]net |
2 |
2cdajlnnwxfylth4[.]onion |
2 |
www[.]myexternalip[.]com |
1 |
250[.]5[.]55[.]69[.]zen[.]spamhaus[.]org |
1 |
myexternalip[.]com |
1 |
icanhazip[.]com |
1 |
wtfismyip[.]com |
1 |
| Files and or directories created | Occurrences |
| — | — |
%System32%\Tasks\Task Gpu health |
40 |
%TEMP%\<random, matching '[a-f0-9]{3,5}'>_appcompat.txt |
40 |
%TEMP%\<random, matching '[A-F0-9]{4,5}'>.dmp |
40 |
None |
39 |
%APPDATA%\DirectTools\data |
25 |
%APPDATA%\DirectTools\settings.ini |
25 |
%APPDATA%\gpuhealth |
15 |
%APPDATA%\gpuhealth\data |
15 |
%APPDATA%\gpuhealth\settings.ini |
15 |
%APPDATA%\DirectTools\Data\pwgrab64 |
2 |
%APPDATA%\DirectTools\data\pwgrab64_configs\dpost |
2 |
%APPDATA%\DirectTools\data\pwgrab64_configs |
1 |
File Hashes
0143ebd2f87acf44bf4b8dc9f03ba00e7eff4d2a723e93bfb7c628a83b993f9a 06951826498d418e5f0ca33112d2cb607d738e9ccb08feaa1ce3427bffa22600 06fce1e6e9c3187d9cf087c6fe4034785f1ffaccbe9b500e424dcc03946a83da 0a1a547185e396fa877b82e7cbc716fe682a95588914944246f0b18c8828bf8f 0addc7b9d5e37d663277cdc9c15fa001ed5db6fa59263a5869b5aed99180ef02 0e4b9cea532791a825d4774d95580827667bff1e75f83b936d0e5cc3ab7236e6 16a0f1a7a0fe7277e4ef69b214b48a0c7f6a96fee6c78bf979b92fb97aed3c83 1f42082ee2954a70c60d15886366307ccacbb8080f03daa536e3fae361a46f4d 20ec1ae9bf3e33e2321f10cb230cc543792b94ecfaf358847b6b85e6d03af17f 297e4bd8eb28b69336a5d05abefd50985f7f5161c1bb08dd54a287a85123f856 2a1494652183e00b35e5566123fa3a2b3d73f9ac8a686258b4905a47a5354488 30b023cc4b072dfdef48929f92bbf283d112a92d03698b58b4c4fea402912c82 31ef497ec1ba5f2a858c92732416cff7bc1a1cdfaddef2ec539b09bbf9e83369 34610185ae8d7ccb60c2c536a2a1ed17be1b4741d2f88206f874276309b439ac 364252d2f0111a2d1bb24aaae430f57ae07c6209682b3567d5c99bbc73a2ce26 3826b709fd3add9b91d37828209ca8b8c05aa60ca2c34d82be1f4260b8188f83 38b5cf64a8cb8099d5c24d82ddd981f00941126c53b999906ddab7b4eff05b11 3c4bf379d34de653845d1efc59eb441388e99aa7e72137b5964d74467d58013f 3e206f84c4467a51a246ada113646b8dd79aebec8b2ecbd515434335db48f6f0 4172720904201256e209df95026384a4a46c1cd5f7910aa7d309633b747e37da 45a2a54c9228d8aef0ef8599c21b2b51bb4163aa02982a205c2fee36c9ffd5e3 47e90d2bd50809df1e9b1b8bc97883dbfa277a760914179cc8f8e54b58290852 4d13f83b56a619c0c34d5fa2fd1c3376ed3c3b837d626599983be29a0e31cc00 4d3eb4806824008f979eae543f41cc90e1e7dd47d95b70bb98984454974d0865 52e86752e9af7aec9c31ea3f3bb224ad02966c11bf7ef73e0eeaf4c247fd2a51
*See JSON for more IOCs
Coverage
| Product | Protection |
|---|---|
| AMP |  |
| Cloudlock | N/A |
| CWS | |
| Email Security | |
| Network Security | |
| Stealthwatch | N/A |
| Stealthwatch Cloud | N/A |
| Threat Grid | |
| Umbrella | N/A |
| WSA | |
Screenshots of Detection
ThreatGrid
Win.Dropper.Qakbot-7541405-1
Indicators of Compromise
| Mutexes | Occurrences |
|---|---|
ocmwn |
22 |
| Files and or directories created | Occurrences |
| — | — |
%TEMP%\<random, matching '[a-f0-9]{3,5}'>_appcompat.txt |
22 |
%TEMP%\<random, matching '[A-F0-9]{4,5}'>.dmp |
22 |
\TEMP\437d5b4d9e4c5d8ab4615871f9e7830c.exe |
1 |
\TEMP\385ece7d547122fba5d712c7495a6721.exe |
1 |
\TEMP\c09a343a545e0f9e36444a847e3ad5ac.exe |
1 |
\TEMP\c78811efdd2612e5ca25249df2cf7600.exe |
1 |
File Hashes
0aea1de8b679fe547239de586664d4693f8cc6cef89340b3fb161c09630f6b14 1118a488e6f39981fb9b24b1bbf3dcd9c0bde2ca79353ad231427a96e951340e 15a4c8dc1980650038b2e8823807746cadb6f106737719e8e8c14b3fcea0b8d4 1e24651cd82da5234ef6dc48f67ea123889fab0dcfe9d41c9d9e4aaba7016786 1ea2902b3b1245d195b86c48a72ea70591877f99beeb622c20bb8ec672ce2daf 298c9f7d8fb46cbf8d3d59a9b145ebbc1c27cb507e4290cd37f02e6754225ddf 2a389b7f20979df29d32ecbcfb0c290891aea90d483f29f95617c2b06dc72670 3617f78b320d1e2efa260579b7d7df9beb37fc47c4bb7d5f320d7675f18894ed 3754ca2f4e3057827092577b1385fde7f07a53f12c6ddc3d6fd5f0f9d6a1239c 457b9bd110b9ada83477e9e1b578663cc3fa5e9d8d0eea8eb41bca51ed11fe09 4c1c055f423adc3d2eed4a54602bf607ccf2562f498aca8b1f1e7e23e1054373 6e2382936ba75dc342bec4ddee3bfc1f3a608f9dfaf3146c9a23d6e3551d6e3f 8e01ab60655a87bdc2a3b56bdc84a50e1c4079555218f28ff6fdc6e1ac109e92 a73e870268c6baa9b6c1f646b7b56d96655b0e2af784be9b5de3dd618c0e8fde bec8eb12798277e788ee835a6da3873fac69a68fb9796d2f248b9b3162285869 c0a8971ffec59c7987826d4ba03fbe539263b92f90718dbdabf6cc382531e417 c78e50570a2d04460be294f5bf5626d03b21c177aa0271e0597baea65caaa2b2 ca0e1deff6b8bcdb9bd5a170529339c6582e78deaa5153db86098fe65664f7e2 cd64755ab2a51aeeefe9afb202ddc84b7f04570271f27630eaf8ea76811937a0 d119ff32920eb407b85a23c825b67454444c0b5097deae743ab8f774f5416d28 d1c307f7b14523f3fa68fbbe0c41b39c40c3a8a27db996d4b952cb7fc183a42b dd722366c1a992ad2e014c2eacb856e76f7677acee045ed552ae3b2ee05e2e99
Coverage
| Product | Protection |
|---|---|
| AMP | |
| Cloudlock | N/A |
| CWS | |
| Email Security | |
| Network Security | N/A |
| Stealthwatch | N/A |
| Stealthwatch Cloud | N/A |
| Threat Grid | |
| Umbrella | N/A |
| WSA | N/A |
Screenshots of Detection
ThreatGrid
Win.Packed.Nymaim-7542552-1
Indicators of Compromise
| Registry Keys | Occurrences |
|---|---|
<HKCU>\SOFTWARE\MICROSOFT\GOCFK |
15 |
| `<HKCU>\SOFTWARE\MICROSOFT\GOCFK | |
| Value Name: mbijg ` | 15 |
| Mutexes | Occurrences |
| — | — |
Local\{369514D7-C789-5986-2D19-AB81D1DD3BA1} |
15 |
Local\{D0BDC0D1-57A4-C2CF-6C93-0085B58FFA2A} |
15 |
Local\{F04311D2-A565-19AE-AB73-281BA7FE97B5} |
15 |
Local\{F6F578C7-92FE-B7B1-40CF-049F3710A368} |
15 |
Local\{306BA354-8414-ABA3-77E9-7A7F347C71F4} |
15 |
Local\{F58B5142-BC49-9662-B172-EA3D10CAA47A} |
15 |
Local\{C170B740-57D9-9B0B-7A4E-7D6ABFCDE15D} |
15 |
Local\{888E04DB-EDDB-D2EC-5F32-1719D74FA2E0} |
15 |
Local\{D876A547-0EDD-4A55-0873-9F0D6D3719FB} |
15 |
| Domain Names contacted by malware. Does not indicate maliciousness | Occurrences |
| — | — |
fzncuowwstw[.]pw |
15 |
wawrgrtjcdr[.]com |
15 |
ochirxt[.]net |
15 |
klcbberl[.]com |
15 |
fxcskhwr[.]in |
15 |
vpbcco[.]net |
15 |
mrbhs[.]pw |
15 |
wiztdyzp[.]com |
15 |
eqbrnmigl[.]in |
15 |
csuaibcneix[.]net |
15 |
lnulxvsvvl[.]pw |
15 |
szthbpsn[.]pw |
15 |
nokuznpxbypo[.]com |
15 |
tthzpuipne[.]pw |
15 |
juxrdizkivk[.]net |
15 |
hcjihn[.]in |
1 |
omcbnlos[.]net |
1 |
voxrdn[.]net |
1 |
zbztpauc[.]pw |
1 |
caojbfvum[.]net |
1 |
dkzexx[.]net |
1 |
npdcqoxaepfz[.]net |
1 |
ljhafrwlf[.]in |
1 |
vauordi[.]com |
1 |
bfeqxicrqaxp[.]pw |
1 |
*See JSON for more IOCs
| Files and or directories created | Occurrences |
|---|---|
%ProgramData%\ph |
15 |
%ProgramData%\ph\fktiipx.ftf |
15 |
%TEMP%\gocf.ksv |
15 |
%ProgramData%\<random, matching '[a-z0-9]{3,7}'> |
15 |
%APPDATA%\<random, matching '[a-z0-9]{3,7}'> |
15 |
%LOCALAPPDATA%\<random, matching '[a-z0-9]{3,7}'> |
15 |
%TEMP%\fro.dfx |
12 |
\Documents and Settings\All Users\pxs\pil.ohu |
12 |
%TEMP%\bpnb.skg |
1 |
%TEMP%\haqhxh.vsz |
1 |
\Documents and Settings\All Users\po\vikog.axh |
1 |
File Hashes
13faed74357cf5f5a66983ce864e49d8ab3d16dc0c4c04a95888fe6ff2580b5c 1e22dbdfbcafcef6e91099b7c345a52a4f59a92fe1f8d30e333bce0d92b7c850 2c22e368525024b26e7c7d1058260093a2f380373010e6e387bea75e325c613c 36799b98d45008973435f10c8e1ba40288b92d6199e4ecec16e40e918e44d58d 3f9a8d0d084d4640a73140faf01df696531c0a6d762309655c503718b412a081 4a70f8df27631b3f76c1a6d520aa53983484e442dd79155d20101fae271e98c5 63fe06736f3fe6ef3ae4c58c89cebc9f055872cab247a707490e3c4b41ca8ff7 9938f7621ae034d3b677c1dbebeb29fe57e1e8a275856aa404d2bca260c808a4 a315a6e21350c5a9811f5006b78ffc5906e5f0c2fc1ed31af8bfc7e056f12797 a66e66ef119cb1451ba006a49417432bc8700f096adff827d4ae7bf0dae07a67 acebcce1368e7a969746cae53715768a37620dc2cfd278f4cff2b891c0d9af6c c43573752804b8f215c95dcb4ab87985cfc87010bfe459e9ab836c8dacb86f5c ccd4a7ded8fa23a750dc9437399cdc6f84964fc0fe4106b2df67ad558014b9e9 e0e5fb674a45c8d4515294b2b591860679993da4a2c48f656f206fa874a5cb98 fd65221380cfca194a1dbd9351357ee2fd0c132784385ed1ff3141c5b19a6805
Coverage
| Product | Protection |
|---|---|
| AMP | |
| Cloudlock | N/A |
| CWS | |
| Email Security | |
| Network Security | N/A |
| Stealthwatch | N/A |
| Stealthwatch Cloud | N/A |
| Threat Grid | |
| Umbrella | N/A |
| WSA | N/A |
Screenshots of Detection
ThreatGrid
Win.Malware.Azorult-7541464-1
Indicators of Compromise
| Registry Keys | Occurrences |
|---|---|
<HKCU>\SOFTWARE\PICTURE |
20 |
<HKCU>\SOFTWARE\PICTURE\PICTUREPROCESSINGTOOLSV1.0 |
20 |
| `<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER | |
| Value Name: GlobalAssocChangedCounter ` | 10 |
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\WOTSUPER 2.1 |
10 |
| `<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\WOTSUPER 2.1 | |
| Value Name: DisplayName ` | 10 |
| `<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\WOTSUPER 2.1 | |
| Value Name: DisplayVersion ` | 10 |
| `<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\WOTSUPER 2.1 | |
| Value Name: VersionMajor ` | 10 |
| `<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\WOTSUPER 2.1 | |
| Value Name: VersionMinor ` | 10 |
| `<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\WOTSUPER 2.1 | |
| Value Name: Publisher ` | 10 |
| `<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\WOTSUPER 2.1 | |
| Value Name: DisplayIcon ` | 10 |
| `<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\WOTSUPER 2.1 | |
| Value Name: UninstallString ` | 10 |
| `<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\WOTSUPER 2.1 | |
| Value Name: URLInfoAbout ` | 10 |
| `<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\WOTSUPER 2.1 | |
| Value Name: HelpLink ` | 10 |
| `<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\WOTSUPER 2.1 | |
| Value Name: InstallLocation ` | 10 |
| `<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\WOTSUPER 2.1 | |
| Value Name: InstallSource ` | 10 |
| `<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\WOTSUPER 2.1 | |
| Value Name: Language ` | 10 |
| `<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\WOTSUPER 2.1 | |
| Value Name: NoModify ` | 10 |
| `<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\WOTSUPER 2.1 | |
| Value Name: NoRepair ` | 10 |
| `<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\WOTSUPER 2.1 | |
| Value Name: InstallDate ` | 10 |
| `<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\WOTSUPER 2.1 | |
| Value Name: EstimatedSize ` | 10 |
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\BYTEDOWNLOAD PROTECT SERVICE |
9 |
| `<HKLM>\SYSTEM\CONTROLSET001\SERVICES\BYTEDOWNLOAD PROTECT SERVICE | |
| Value Name: Type ` | 9 |
| `<HKLM>\SYSTEM\CONTROLSET001\SERVICES\BYTEDOWNLOAD PROTECT SERVICE | |
| Value Name: Start ` | 9 |
| `<HKLM>\SYSTEM\CONTROLSET001\SERVICES\BYTEDOWNLOAD PROTECT SERVICE | |
| Value Name: ErrorControl ` | 9 |
| `<HKLM>\SYSTEM\CONTROLSET001\SERVICES\BYTEDOWNLOAD PROTECT SERVICE | |
| Value Name: DisplayName ` | 9 |
| Mutexes | Occurrences |
| — | — |
d19ab989-a35f-4710-83df-7b2db7efe7c5{846ee340-7039-11de-9d20-806e6f6e6963} |
10 |
A16467FA7-343A2EC6-F2351354-B9A74ACF-1DC8406A |
10 |
Global\<random guid> |
10 |
01B1CA98-EE2E-41B3-8A2F-F319643109E5 |
2 |
None |
1 |
| IP Addresses contacted by malware. Does not indicate maliciousness | Occurrences |
| — | — |
216[.]83[.]52[.]40 |
20 |
103[.]91[.]210[.]187 |
11 |
45[.]139[.]236[.]14 |
10 |
23[.]106[.]124[.]148 |
10 |
45[.]76[.]18[.]39 |
9 |
37[.]140[.]192[.]153 |
9 |
104[.]27[.]185[.]71 |
7 |
185[.]99[.]133[.]121 |
6 |
37[.]140[.]192[.]166 |
6 |
88[.]99[.]66[.]31 |
5 |
13[.]107[.]21[.]200 |
4 |
93[.]190[.]142[.]79 |
3 |
208[.]95[.]112[.]1 |
3 |
209[.]141[.]34[.]150 |
3 |
216[.]83[.]52[.]19 |
3 |
104[.]27[.]184[.]71 |
3 |
183[.]131[.]207[.]66 |
2 |
216[.]83[.]52[.]20 |
2 |
204[.]79[.]197[.]200 |
1 |
220[.]243[.]236[.]20 |
1 |
220[.]242[.]158[.]12 |
1 |
104[.]28[.]10[.]3 |
1 |
204[.]188[.]226[.]98 |
1 |
104[.]27[.]171[.]106 |
1 |
194[.]36[.]188[.]13 |
1 |
| Domain Names contacted by malware. Does not indicate maliciousness | Occurrences |
| — | — |
iplogger[.]org |
10 |
silvergeoa[.]com |
10 |
area[.]cyp360[.]com |
10 |
installsilver[.]com |
9 |
confirmssystems[.]com |
9 |
passwordkernel[.]online |
9 |
123321123[.]fun |
6 |
scp46[.]hosting[.]reg[.]ru |
4 |
ip-api[.]com |
3 |
myprintscreen[.]com |
3 |
fbinstall[.]cyp360[.]com |
3 |
ok |
2 |
js[.]users[.]51[.]la |
2 |
ia[.]51[.]la |
2 |
budison-oklarly[.]com |
2 |
ac[.]681776[.]com |
2 |
yip[.]su |
1 |
megagemes[.]info |
1 |
termscenter[.]com |
1 |
cleand8yv0m6g[.]top |
1 |
newbook-t[.]info |
1 |
| Files and or directories created | Occurrences |
| — | — |
\TEMP\d |
20 |
\TEMP\d-shm |
20 |
\TEMP\d-wal |
20 |
%TEMP%\~atmp |
11 |
%ProgramData% |
10 |
%TEMP%\$inst |
10 |
%TEMP%\$inst\2.tmp |
10 |
%TEMP%\$inst\temp_0.tmp |
10 |
\TEMP\config.ini |
10 |
%ProgramFiles(x86)%\wotsuper |
10 |
%ProgramFiles(x86)%\wotsuper\wotsuper |
10 |
%ProgramFiles(x86)%\wotsuper\wotsuper\Uninstall.exe |
10 |
%ProgramFiles(x86)%\wotsuper\wotsuper\Uninstall.ini |
10 |
%ProgramFiles(x86)%\wotsuper\wotsuper\wotsuper.exe |
10 |
%ProgramFiles(x86)%\wotsuper\wotsuper\wotsuper1.exe |
10 |
%SystemRoot%\wotsuper.reg |
10 |
%ProgramData%\freebl3.dll |
9 |
%ProgramData%\mozglue.dll |
9 |
%SystemRoot%\SysWOW64\config.ini |
9 |
%APPDATA%\Mozilla\Firefox\Profiles\1LCUQ8~1.DEF\cookies.sqlite-shm |
9 |
%APPDATA%\Mozilla\Firefox\Profiles\1LCUQ8~1.DEF\cookies.sqlite-wal |
9 |
%ProgramData%\msvcp140.dll |
8 |
%ProgramData%\nss3.dll |
6 |
%HOMEPATH%\pwordkrn.exe |
6 |
%ProgramData%\softokn3.dll |
5 |
*See JSON for more IOCs
File Hashes
0034790f990238fe8e57d28800a8498bce5bdf3604cc56fc670ac5d65c6e5e08 249de6212474007cb9cf42a68939fae2f769f2097a57afa664a4780b2641228e 275eb1700ac5dbe3b62ce16a06409c4866728f72ee9e5c10f43beba094038475 48ab169b253421d2ece727161c6ff26c47836d5905fa685812010c6de4b75b27 681297a82e85822a1cb5a58296a515151f417bb8aafe5d4505d2219b4fe61438 70576eb8cd35093b1ef56da7fb39bf88f32c57f410484d613b5028cecbb1b0df 743238d01b2f968044ee2b175c61574aca518874c67201146f19df5a53c3b0d2 7e71eda28ecca392d6e86a9004c3bd38c7cbdf79399e90742feac5fa066aba66 a6abe3b046e8bdcfb33fa9776195fbb89a3e4218f6bb281aedd15f28fe1f4818 bad303ab4b68379128469e3be92d5bf3b23ec7bb285a260b1fadeead3fe43bbf bc55f494359805cc4d89f6812c3a1a14d593d9ead82267dcae7029dcbddebcab be2201940b246ae89cae4f6d0a691a1092289868230f1da85f9142d180709744 c66fe1a34cbe3a966ecbd1beb87b425e004a4a21f38bd483c2c10ef7c77e5e0b c8a3cb15adb8639ceaa0092b3a7f69f362cb48bcd96ffd18d362a38a1fbfff41 d39e3e47d12347b27f81a75751145bf6915b6a12caffa2dc4b0981666339c3bb e0b5780569ee0983401f373b03909ba27babc52c258eb150939e0b9d337de594 eaa8bbd1fee19574eeed935d8756223876c64d3ca49b372c04b98b6912108586 f34e64f4e7be7e6b2c665700ec513b4783e570a4de2087ac9511f152d812b2f5 f4b4158338fe30016fb7034b70bc3babcee3be21ea5c214451d83e3cb31233d8 fdbad2f7d47f6b60b5eb5a7110c150bc89932fdf47d224a4e31d8f091ee8dc58
Coverage
| Product | Protection |
|---|---|
| AMP | |
| Cloudlock | N/A |
| CWS | |
| Email Security | |
| Network Security | |
| Stealthwatch | N/A |
| Stealthwatch Cloud | N/A |
| Threat Grid | |
| Umbrella | |
| WSA | |
Screenshots of Detection
ThreatGrid
Doc.Malware.Emotet-7544675-1
Indicators of Compromise
| Registry Keys | Occurrences |
|---|---|
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FUNCSITKA |
7 |
| `<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FUNCSITKA | |
| Value Name: Type ` | 7 |
| `<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FUNCSITKA | |
| Value Name: Start ` | 7 |
| `<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FUNCSITKA | |
| Value Name: ErrorControl ` | 7 |
| `<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FUNCSITKA | |
| Value Name: ImagePath ` | 7 |
| `<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FUNCSITKA | |
| Value Name: DisplayName ` | 7 |
| `<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FUNCSITKA | |
| Value Name: WOW64 ` | 7 |
| `<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FUNCSITKA | |
| Value Name: ObjectName ` | 7 |
| Mutexes | Occurrences |
| — | — |
Global\I98B68E3C |
7 |
Global\M98B68E3C |
7 |
Global\Nx534F51BC |
1 |
| IP Addresses contacted by malware. Does not indicate maliciousness | Occurrences |
| — | — |
190[.]17[.]44[.]48 |
7 |
70[.]123[.]95[.]180 |
7 |
74[.]220[.]194[.]30 |
7 |
59[.]120[.]5[.]154 |
3 |
100[.]66[.]142[.]61 |
3 |
100[.]108[.]145[.]200 |
3 |
100[.]87[.]27[.]180 |
3 |
100[.]83[.]251[.]131 |
3 |
100[.]90[.]84[.]106 |
3 |
17[.]36[.]205[.]74 |
2 |
74[.]202[.]142[.]71 |
2 |
24[.]232[.]0[.]227 |
2 |
200[.]45[.]191[.]16 |
2 |
74[.]202[.]142[.]98/31 |
2 |
51[.]77[.]113[.]100 |
2 |
98[.]103[.]188[.]70 |
1 |
200[.]107[.]202[.]33 |
1 |
67[.]212[.]168[.]237 |
1 |
85[.]115[.]130[.]101 |
1 |
206[.]126[.]59[.]246 |
1 |
162[.]211[.]85[.]171 |
1 |
80[.]93[.]143[.]50 |
1 |
203[.]130[.]9[.]8 |
1 |
192[.]185[.]21[.]150 |
1 |
192[.]185[.]2[.]205 |
1 |
*See JSON for more IOCs
| Domain Names contacted by malware. Does not indicate maliciousness | Occurrences |
|---|---|
jayracing[.]com |
10 |
rcmgdev44[.]xyz |
3 |
demu[.]hu |
3 |
itconsortium[.]net |
3 |
josemoo[.]com |
3 |
smtp[.]prodigy[.]net[.]mx |
2 |
smtp[.]fibertel[.]com[.]ar |
2 |
smtp[.]infinitummail[.]com |
2 |
smtp[.]arnet[.]com[.]ar |
2 |
smtp[.]dsl[.]telkomsa[.]net |
2 |
mail[.]1and1[.]com |
1 |
smtp[.]tcc-la[.]com |
1 |
smtp[.]indisa[.]cl |
1 |
mail[.]cemcol[.]hn |
1 |
mail[.]cobico[.]co |
1 |
cowealth[.]com[.]tw |
1 |
mail[.]an-car[.]it |
1 |
mail[.]argo[.]ge |
1 |
smtp[.]1und[.]de |
1 |
mail[.]fracma[.]co |
1 |
mail[.]castel[.]ge |
1 |
smtpvip[.]reis[.]mx |
1 |
mail[.]stscambodia[.]com |
1 |
smtp[.]netvoice[.]com[.]ph |
1 |
mail[.]mygrande[.]net |
1 |
*See JSON for more IOCs
| Files and or directories created | Occurrences |
|---|---|
%HOMEPATH%\229.exe |
10 |
File Hashes
0c9ef55223b45ef57ef38a98bbb1675f4bb284af6a56f9157e4c86b864360719 412e213dd241031a172b48a422bbcf8e3e0b45e89a984fc45028fa96299f459a 42e61e25f4b3d2b57fa973344417602c6e43537eeef6f7fdf32f9d34bf8f3604 6c4c28356c53832f5ab0a5acc2a14f4f907188655dd315bf1e18581c4c48337e 70dc1946d77ef19522ccc9d18629e8777283a715d3fa055ff7f0559331db3e26 81c603712c753de8200c0cb6dd28d6b37ac2873b968bdf8929ca129d35195d4a ac2b7c9be4cf9cf5b2e4a564a5fa312243e665dd31463448c975f38664de56f2 ca1e6ff31df37242aa2e09a4cb29b7546dd408c0b0de26dd2a946183eea64b95 d676ecd3750ce75f42ed0c6958863e01ffbf92b5169c1899513b0affc952b9de dfe5f28fde5c483ba38aff7def0df3938ae4837acb81cba696f57159fa6fa0b6
Coverage
| Product | Protection |
|---|---|
| AMP | |
| Cloudlock | N/A |
| CWS | |
| Email Security | |
| Network Security | |
| Stealthwatch | N/A |
| Stealthwatch Cloud | N/A |
| Threat Grid | |
| Umbrella | |
| WSA | |
Screenshots of Detection
AMP
ThreatGrid
Umbrella
Win.Worm.Vobfus-7541859-0
Indicators of Compromise
| Registry Keys | Occurrences |
|---|---|
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN |
12 |
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN |
12 |
| `<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN | |
| Value Name: WindowsDefender ` | 7 |
| `<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN | |
| Value Name: WindowsDefender ` | 7 |
| `<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN | |
| Value Name: WindowsDefender ` | 7 |
| `<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN | |
| Value Name: WindowsDefender ` | 7 |
| `<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN | |
| Value Name: update ` | 1 |
| `<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN | |
| Value Name: update ` | 1 |
| `<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN | |
| Value Name: update ` | 1 |
| `<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN | |
| Value Name: update ` | 1 |
| `<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN | |
| Value Name: BWOJ39VGEPRBJ ` | 1 |
| `<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN | |
| Value Name: BWOJ39VGEPRBJ ` | 1 |
| `<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN | |
| Value Name: BWOJ39VGEPRBJ ` | 1 |
| `<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN | |
| Value Name: BWOJ39VGEPRBJ ` | 1 |
| `<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN | |
| Value Name: IOAUWN4A3W4AA ` | 1 |
| `<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN | |
| Value Name: IOAUWN4A3W4AA ` | 1 |
| `<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN | |
| Value Name: IOAUWN4A3W4AA ` | 1 |
| `<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN | |
| Value Name: IOAUWN4A3W4AA ` | 1 |
| `<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN | |
| Value Name: 8L9ROXIFMECH6 ` | 1 |
| `<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN | |
| Value Name: 8L9ROXIFMECH6 ` | 1 |
| `<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN | |
| Value Name: 8L9ROXIFMECH6 ` | 1 |
| `<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN | |
| Value Name: 8L9ROXIFMECH6 ` | 1 |
| `<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN | |
| Value Name: HE8MRP3X92SVO ` | 1 |
| `<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN | |
| Value Name: HE8MRP3X92SVO ` | 1 |
| `<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN | |
| Value Name: HE8MRP3X92SVO ` | 1 |
| Mutexes | Occurrences |
| — | — |
<random, matching [a-zA-Z0-9]{5,9}> |
7 |
HCQZLMB9VOLD |
1 |
1HZYRMUIRQ |
1 |
REYUIW9NA8LY |
1 |
bv1lr78956835 |
1 |
MUA192KRR0N |
1 |
| IP Addresses contacted by malware. Does not indicate maliciousness | Occurrences |
| — | — |
172[.]217[.]11[.]46 |
2 |
172[.]217[.]9[.]206 |
2 |
188[.]138[.]114[.]61 |
1 |
178[.]128[.]111[.]183 |
1 |
77[.]79[.]13[.]204 |
1 |
195[.]201[.]196[.]115 |
1 |
| Domain Names contacted by malware. Does not indicate maliciousness | Occurrences |
| — | — |
www[.]altervista[.]org |
1 |
divine-vps[.]com |
1 |
moddersondazone[.]net |
1 |
khant[.]info |
1 |
applesupportforums[.]com |
1 |
underground-logs[.]tk |
1 |
www[.]emmek[.]altervista[.]org |
1 |
khant[.]me |
1 |
imscuh[.]com |
1 |
rtrforums[.]com |
1 |
tripsschool[.]netfirms[.]com |
1 |
| Files and or directories created | Occurrences |
| — | — |
%TEMP%\windefender.exe.jpg |
6 |
%TEMP%\update.exe.jpg |
1 |
%TEMP%\8c5gucto.exe.jpg |
1 |
%TEMP%\f5qrnr2jfk.exe.jpg |
1 |
%TEMP%\52qof1hoy2.exe.jpg |
1 |
%TEMP%\dvpiit26.exe.jpg |
1 |
%TEMP%\windefender.jpg |
1 |
File Hashes
171ab79cd58e2be6aeada2c137c8ab74eecf082ae2a80358e84fccd254bf760b 312b904aa6b90418558a7e9b8d25ad1f84a2ae413e542fb6a06b7aae9567957d 39154850d888f42f4a04fc19887691101aadda306311605b59aa0997ae9fd4cc 3bd1ed52b57837cbc2b072c23f9de501a7d0ed5bd3ce93d3ca7022aada5ea13f 4ca9d8cd2b950485301fb885cc1d954e7c91c03c4fd21209fe90d68426a0b073 594e3dde160ff061cabb630e7c6d8c9584e45f61bc446b03e3546d2104b25d1a 59656eb7ffde7b461f49735aa9717ab09ff883780522afa1de8d724928108b75 80f8410a8f0042edad98dc1636d6cbd6c989d5159454d86fc212eb647d413850 87a2371dc38ca7b11010496c3e4c908379596ddbd5b2eb0332817a8d18e71ea0 a92e67a93899f548c68b5d667650b0749a7ff56799ba7afd5d393bef97f946a5 e487727b0d5121e8efc6f51ffe24ce54e40f923b0d9916284b988efc4a57269e eb03d095df6d765469d088cefbd320b6cee40bc97cf1bd75ad46a115f2d3697b
Coverage
| Product | Protection |
|---|---|
| AMP | |
| Cloudlock | N/A |
| CWS | |
| Email Security | |
| Network Security | N/A |
| Stealthwatch | N/A |
| Stealthwatch Cloud | N/A |
| Threat Grid | |
| Umbrella | |
| WSA | |
Screenshots of Detection
ThreatGrid
Win.Trojan.XpertRAT-7550253-1
Indicators of Compromise
| Registry Keys | Occurrences |
|---|---|
| `<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM | |
| Value Name: EnableLUA ` | 13 |
| `<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER | |
| Value Name: UACDisableNotify ` | 13 |
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\X |
13 |
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN |
13 |
| `<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN | |
| Value Name: P4U8M5X3-N0E7-O7S5-B1Y3-J7Q6J4S0G6G5 ` | 13 |
| `<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN | |
| Value Name: P4U8M5X3-N0E7-O7S5-B1Y3-J7Q6J4S0G6G5 ` | 13 |
| `<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN | |
| Value Name: P4U8M5X3-N0E7-O7S5-B1Y3-J7Q6J4S0G6G5 ` | 13 |
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\X\RUN |
13 |
| `<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\X\RUN | |
| Value Name: NOME ` | 13 |
| Mutexes | Occurrences |
| — | — |
P4U8M5X3-N0E7-O7S5-B1Y3-J7Q6J4S0G6G5 |
13 |
| Domain Names contacted by malware. Does not indicate maliciousness | Occurrences |
| — | — |
joeing[.]dnsfor[.]me |
13 |
| Files and or directories created | Occurrences |
| — | — |
%TEMP%\Administrator.bmp |
13 |
%APPDATA%\P4U8M5X3-N0E7-O7S5-B1Y3-J7Q6J4S0G6G5 |
13 |
%APPDATA%\P4U8M5X3-N0E7-O7S5-B1Y3-J7Q6J4S0G6G5\P4U8M5X3-N0E7-O7S5-B1Y3-J7Q6J4S0G6G5 |
13 |
%APPDATA%\P4U8M5X3-N0E7-O7S5-B1Y3-J7Q6J4S0G6G5\P4U8M5X3-N0E7-O7S5-B1Y3-J7Q6J4S0G6G5.exe |
13 |
%APPDATA%\P4U8M5X3-N0E7-O7S5-B1Y3-J7Q6J4S0G6G5\ut |
13 |
%TEMP%\Westminster8.exe |
13 |
File Hashes
2bc7aa28fb4cab2aa55e683fa452125a29fdeaf2c8a8ad09801581ac164f6e04 33151408dca938762e705906a4da851f01d38e05ea539bc4a6b56745d1464933 3464a96f3efe37c2c852c581576c75b5f7fce51e06473317e3a927867959cd9e 395a63b07a1275522ed8867d6402abba3b81bfcafedfdd4cc42d9d7b12b03868 45df177c92177a1766adb8e57b49b588f80d5534a84f0fc91d3ce296c7793052 75dc81fe9a84e7abecc35834a59574fa6975df9dafede10ec32090c054b2a7e4 8cd515edb041f9591d71885cf5e51253f9c0569fcfae06a73e14dbfef7d6f5ef 964354f86010cf35a07fc0e8ac11c0e653409338c42cfc132d8876b0fc64d3e7 a78e29a18072a0287261c696aac850b3a2f67087e1167f7b867eff84075655ab ab4e72ae86ecc5ec5fd7fe5e727ebc069c4803fd34e975c6054fa85cf4a73f8a af2f58c80a13d01953ff089503666772bbafa371fe61eadd8561aca0026ff856 ce56803cae1069908fc47087d6d8fbd1278ae72bc36966694e35da564822446e dc5771d054a00e41f0cceb59ab59bf154b5e56d6fbff9db7a2713a5728254bbb
Coverage
| Product | Protection |
|---|---|
| AMP | |
| Cloudlock | N/A |
| CWS | |
| Email Security | |
| Network Security | N/A |
| Stealthwatch | N/A |
| Stealthwatch Cloud | N/A |
| Threat Grid | |
| Umbrella | N/A |
| WSA | N/A |
Screenshots of Detection
AMP
ThreatGrid
Win.Trojan.Upatre-7549404-0
Indicators of Compromise
| Registry Keys | Occurrences |
|---|---|
| `<HKU>.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN | |
| Value Name: a2fc9eb ` | 8 |
| Mutexes | Occurrences |
| — | — |
qazwsxedc |
9 |
Local\MSCTF.Asm.Mutexsssssssssssss1 |
8 |
Local\MSCTF.CtfMonitorInstMutexsssssssssssss1 |
8 |
Global\b54c4621-3b1b-11ea-a007-00501e3ae7b5 |
1 |
| IP Addresses contacted by malware. Does not indicate maliciousness | Occurrences |
| — | — |
93[.]118[.]36[.]235 |
8 |
197[.]255[.]147[.]146 |
8 |
136[.]243[.]69[.]220 |
8 |
81[.]169[.]145[.]67 |
8 |
178[.]254[.]50[.]156 |
8 |
202[.]172[.]26[.]26 |
8 |
134[.]0[.]11[.]125 |
8 |
157[.]7[.]107[.]174 |
8 |
213[.]186[.]33[.]3 |
7 |
46[.]105[.]57[.]169 |
7 |
166[.]62[.]113[.]120 |
7 |
46[.]30[.]215[.]33 |
7 |
212[.]48[.]68[.]63 |
7 |
208[.]117[.]38[.]143 |
7 |
5[.]39[.]73[.]158 |
7 |
3[.]114[.]58[.]184 |
6 |
37[.]58[.]63[.]231 |
6 |
81[.]19[.]159[.]64 |
6 |
198[.]199[.]67[.]86 |
6 |
185[.]227[.]80[.]58 |
6 |
211[.]1[.]226[.]76 |
3 |
192[.]35[.]177[.]64 |
2 |
203[.]189[.]109[.]240 |
2 |
213[.]186[.]33[.]87 |
1 |
46[.]166[.]187[.]64 |
1 |
*See JSON for more IOCs
| Domain Names contacted by malware. Does not indicate maliciousness | Occurrences |
|---|---|
schema[.]org |
8 |
api[.]w[.]org |
8 |
gmpg[.]org |
8 |
recaswine[.]ro |
8 |
pendletonforhouse[.]com |
8 |
ecocalsots[.]com |
8 |
www[.]riesa[.]de |
8 |
gestes-argile[.]com |
8 |
feuerwehr-stadt-riesa[.]de |
8 |
treatneuro[.]com |
8 |
national-drafting[.]com |
8 |
dupdiesel[.]co[.]za |
8 |
has-gulvakfi[.]com |
8 |
domaine-cassillac[.]com |
8 |
cerenalarmkamera[.]com |
8 |
definitionen[.]de |
8 |
eatside[.]es |
8 |
takatei[.]com |
8 |
www[.]takatei[.]com |
8 |
themeisle[.]com |
7 |
www[.]ovh[.]co[.]uk |
7 |
plexipr[.]com |
7 |
paintituppottery[.]com |
7 |
viralcrazies[.]com |
7 |
camlavabolari[.]com |
7 |
*See JSON for more IOCs
| Files and or directories created | Occurrences |
|---|---|
%HOMEPATH%\Start Menu\Programs\Startupx\system.pif |
8 |
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startupx\system.pif |
8 |
%APPDATA%\a2fc9eb |
8 |
%APPDATA%\a2fc9eb\ea2fc9.exe |
8 |
%APPDATA%\8ddb21f\88ddb2.exe |
5 |
%HOMEPATH%\HELP_FILE_430D48DC3.png |
1 |
%HOMEPATH%\HELP_FILE_530D48DC3.html |
1 |
%HOMEPATH%\HELP_FILE_530D48DC3.png |
1 |
%HOMEPATH%\HELP_FILE_630D48DC3.html |
1 |
%HOMEPATH%\HELP_FILE_630D48DC3.png |
1 |
%HOMEPATH%\HELP_FILE_730D48DC3.html |
1 |
%HOMEPATH%\HELP_FILE_730D48DC3.png |
1 |
%HOMEPATH%\HELP_FILE_830D48DC3.html |
1 |
%HOMEPATH%\HELP_FILE_830D48DC3.png |
1 |
%HOMEPATH%\Local Settings\Application Data\HELP_FILE_130D48DC3.html |
1 |
%HOMEPATH%\Local Settings\Application Data\HELP_FILE_130D48DC3.png |
1 |
%HOMEPATH%\Local Settings\Application Data\HELP_FILE_230D48DC3.html |
1 |
%HOMEPATH%\Local Settings\Application Data\HELP_FILE_230D48DC3.png |
1 |
%HOMEPATH%\Local Settings\Application Data\HELP_FILE_330D48DC3.html |
1 |
%HOMEPATH%\Local Settings\Application Data\HELP_FILE_330D48DC3.png |
1 |
%HOMEPATH%\Local Settings\Application Data\HELP_FILE_430D48DC3.html |
1 |
%HOMEPATH%\Local Settings\Application Data\HELP_FILE_430D48DC3.png |
1 |
%HOMEPATH%\Local Settings\Application Data\HELP_FILE_530D48DC3.html |
1 |
%HOMEPATH%\Local Settings\Application Data\HELP_FILE_530D48DC3.png |
1 |
%HOMEPATH%\Local Settings\Application Data\HELP_FILE_630D48DC3.html |
1 |
*See JSON for more IOCs
File Hashes
04e7c9d7cb59d57085636e06d1e30098ab81f85805bc9ac6c4c9270d697d6e96 434ff7bfd6a752f3c56c20d8a7e8853a94e99be9d112442eed257ee42800e957 49a97e5e68d188e423af3eebe2b3a62d2a285006d42c5dfd10cfdbe534534c91 61e76a0e801cb7a30221f4075ec8c5fc733cc7b3d5bda520551b8bd053f101d2 8f237cc28360ef130227b92323a986c3136242600fc2188b92c48fad5df2f7fe 98db4c353cc79a3b9bfae516ab56fab19166d2fed1f108cbff33447cc2feac33 a27d8ad3e0ef1d792cc6504a41d3eaecf11802d03fdbfb08c811217759f2d965 de940e24beca778c6d8afd8b625eeaff0549342ce061fd75ce817d2d5add612c e67b98c9041d13d17904f65f875e840c7f40cbf60fdc25c0767fefc5c57cb634 eccb6d79ce6669a5e4fb1f394f920224fe40d0dd782c8dd12cf4004c81c32765
Coverage
| Product | Protection |
|---|---|
| AMP | |
| Cloudlock | N/A |
| CWS | |
| Email Security | |
| Network Security | |
| Stealthwatch | N/A |
| Stealthwatch Cloud | N/A |
| Threat Grid | |
| Umbrella | |
| WSA | |
Screenshots of Detection
AMP
ThreatGrid
Umbrella
Win.Packed.Passwordstealera-7544289-0
Indicators of Compromise
| Registry Keys | Occurrences |
|---|---|
| `<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN | |
| Value Name: Quasar Client Startup ` | 12 |
| `<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN | |
| Value Name: java ` | 4 |
| `<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN | |
| Value Name: Java ` | 4 |
| `<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN | |
| Value Name: error pending ` | 2 |
| `<HKCR>\LOCAL SETTINGS\MUICACHE\52C64B7E | |
| Value Name: LanguageList ` | 1 |
| `<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN | |
| Value Name: Windows startup ` | 1 |
| `<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN | |
| Value Name: NET framework ` | 1 |
| `<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN | |
| Value Name: steam ` | 1 |
| `<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\WINDOWS | |
| Value Name: Id ` | 1 |
| `<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\WINDOWS | |
| Value Name: Index ` | 1 |
| `<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN | |
| Value Name: NvDisplay ` | 1 |
| `<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN | |
| Value Name: Windows Defender ` | 1 |
| Mutexes | Occurrences |
| — | — |
SwHHcMzPFPnmaghyKW |
2 |
ymJAxrWzIz9Lmt1RL3 |
2 |
UuCyPSySUiFSDdHPtO |
2 |
sFWQsTLv8c5vk4jyO0 |
1 |
tsgtBnaQMyDFZrUQIp |
1 |
YsyBq3MBwCzQNk2qhM |
1 |
q624fQPLA3sreuCLzt |
1 |
N3og1f8lHLVNu6W30c |
1 |
KckvHhqL1uihc4dCLw |
1 |
RTzXcJcD26j9cGndLe |
1 |
9uxtMjacj46ojfxw8Z |
1 |
tmiYIVMkI1dD9zfRjT |
1 |
hI0uR11aF8XGlij0wp |
1 |
fJO2dbxEGn2ZNnVHEj |
1 |
zqUBYqdAinRE5xYguS |
1 |
RtX4BZD2nWkVu0prSe |
1 |
HjjzZQZESOkAInyZch |
1 |
cP20H0tkmTiytEkIEL |
1 |
ixlUgkBMIocn8A96xU |
1 |
yIKLaGMppBM6EDhhvU |
1 |
mLvIMV7J1hOyksFGvj |
1 |
hj0AV9bM5BIleznxOc |
1 |
UQjK2wv6weKFSvAPxM |
1 |
UrlxbiSJX7lUOpSRZs |
1 |
JsMa39ctmfwcdenPhN |
1 |
*See JSON for more IOCs
| IP Addresses contacted by malware. Does not indicate maliciousness | Occurrences |
|---|---|
208[.]95[.]112[.]1 |
52 |
37[.]8[.]73[.]90 |
2 |
192[.]69[.]169[.]25 |
1 |
103[.]43[.]75[.]105 |
1 |
3[.]14[.]212[.]173 |
1 |
3[.]19[.]114[.]185 |
1 |
18[.]188[.]14[.]65 |
1 |
103[.]136[.]43[.]131 |
1 |
103[.]73[.]67[.]70 |
1 |
74[.]118[.]139[.]67 |
1 |
213[.]183[.]58[.]52 |
1 |
141[.]255[.]158[.]23 |
1 |
80[.]66[.]255[.]129 |
1 |
95[.]59[.]113[.]113 |
1 |
109[.]230[.]215[.]181 |
1 |
185[.]248[.]100[.]84 |
1 |
95[.]156[.]232[.]34 |
1 |
88[.]150[.]227[.]112 |
1 |
23[.]249[.]161[.]111 |
1 |
36[.]84[.]57[.]230 |
1 |
36[.]84[.]56[.]39 |
1 |
| Domain Names contacted by malware. Does not indicate maliciousness | Occurrences |
| — | — |
ip-api[.]com |
52 |
swez111[.]ddns[.]net |
5 |
scammer[.]chickenkiller[.]com |
2 |
holaholahola[.]hopto[.]org |
2 |
chrome[.]giize[.]com |
2 |
niroshimax[.]zapto[.]org |
2 |
0[.]tcp[.]ngrok[.]io |
1 |
gingles[.]ddns[.]net |
1 |
dhayan[.]ddns[.]net |
1 |
sanchosec[.]ddns[.]net |
1 |
apina123[.]duckdns[.]org |
1 |
mlks[.]ddns[.]net |
1 |
update1337[.]duckdns[.]org |
1 |
ord |
1 |
dike[.]duckdns[.]org |
1 |
nirovitch[.]zapto[.]org |
1 |
nume123[.]hopto[.]org |
1 |
pilnaspuodas[.]ddns[.]net |
1 |
danek56[.]ddns[.]net |
1 |
windows13467[.]ddns[.]net |
1 |
backtofuture[.]zapto[.]org |
1 |
nerdicon[.]ddns[.]net |
1 |
| Files and or directories created | Occurrences |
| — | — |
%APPDATA%\Logs |
35 |
%APPDATA%\Logs\01-17-2020 |
35 |
%APPDATA%\SubDir |
28 |
%System32%\Tasks\WINDOWSSYSTEMHOST |
22 |
%APPDATA%\SubDir\Client.exe |
18 |
%System32%\Tasks\Quasar Client Startup |
8 |
%APPDATA%\<random, matching '[A-Z][a-z]{3,5}\[a-z]{4,6}'>.exe |
8 |
E:\autorun.inf |
7 |
\autorun.inf |
7 |
%System32%\Tasks\java |
4 |
%APPDATA%\<random, matching '[a-z0-9]{3,7}'> |
4 |
%APPDATA%\SubDir\WinUpdate.exe |
2 |
%SystemRoot%\SysWOW64\java64 |
2 |
%SystemRoot%\SysWOW64\java64\java.exe |
2 |
%System32%\Tasks\error pending |
2 |
%APPDATA%\SubDir\fileintl.exe |
2 |
%System32%\Tasks\Windows Defender |
1 |
%System32%\Tasks\Windows |
1 |
%System32%\Tasks\Windows startup |
1 |
%System32%\Tasks\WinSql |
1 |
%APPDATA%\SubDir\WinSql1.exe |
1 |
%System32%\Tasks\NET framework |
1 |
%ProgramFiles(x86)%\SubDir |
1 |
%ProgramFiles(x86)%\SubDir\Client.exe |
1 |
%System32%\Tasks\RDPBlox Agent |
1 |
*See JSON for more IOCs
File Hashes
02c9df3dec221cacfa6c97e91bee174af3022dac4588e3f494108b0cc5c9fe1e 03fa8b9de359535afb3af2914e2bd91d630b85a0596604501968b12f9187b1da 0624f9670f56e83ab5bbdf903879ffd0facb5b27b4bc53d16f5d4a560033cdf8 0668b26c7ab4e7adbdf98d515b0a58ae06f5e89d67e5c9fa02a9ee7bea8a477a 09666ba370e36246342d7093b6c63b5a8ef10966fa78b79bcf570659a0dd2f77 0c598a620e83a6e0ee892aa5090e2dbbf36dde886620647be8c27bab0b94859e 0ed3feae6696b3986ae492d85fef56e2ec226d7b010154470b433bfc357f861b 189c7ebae4cdd338f844ba5adc3ecc322294a7be438a3a72eea69468ac068eb3 192a0440574068fd9297086e0cf05a57d8ae4af03045d6be4c0b4f21bd636a72 19b8ed7ab551d89467c665ee7f509fe3ece9101679b5302cdc70c6d3a8c12ee6 26f294e691ec271d761a167704d495ca8bdc4d66cb0cd332a0e49313164988b1 27473eaee1e66c3a9581d17b4ff94d481c31f23032b810493d99a23eebee6b22 29f55d706d0e7390d7e77aceae79909654b4868179ff6913f28d78df945a5a51 2b3eb6cf09691b169c603cbeba508c4056eb6c8d1f12abe11b3c11c77b130604 2d3cef89943a95c57418be1996431f9803c6df4a9307d1890a3885c8794986af 3068250bcb0e8ffcee254c2da91e2696703bf36cfb195415aa3b0c454601dad1 3204ad689f3939402dae9670970c55c684b559ce1a8ba5726eb3e143a0beea4a 3622a2b3adfc7cbc7727a7a13dc6c895290c6f6fc93c8e64e753e2041cafed16 362ec0bc0738f083dcdbf9472ebf4e6227b33d093c9dacf1093607fa3b53ea01 38c56bc6885e546caab8faa8f9b75a6b1d82a60f686038ccaf72f148187fb1ee 3baa2fb31a69683a134a24d5a5a05aa1619ce65ba9811e34d254a5efd708580c 42ee0201d3a74bf465daef9178042cc7fb28bab5b932e6d7a865cbc11fce6c94 472736830d9114c83bad680bc95c138d3951213d1429e314749b18083ac5cdf2 4d583b00c74ef261c7c20e53563b521ddda7b85bf5b1ac98463af0c6488a55d0 54b3c135aa1fe9b870209d36e286df1d7dc4e6182b664285f3564c573dbbdc89
*See JSON for more IOCs
Coverage
| Product | Protection |
|---|---|
| AMP | |
| Cloudlock | N/A |
| CWS | |
| Email Security | |
| Network Security | |
| Stealthwatch | N/A |
| Stealthwatch Cloud | N/A |
| Threat Grid | |
| Umbrella | N/A |
| WSA | |
Screenshots of Detection
AMP
ThreatGrid
Exploit Prevention
Cisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities.
CVE-2019-0708 detected - (8483)
An attempt to exploit CVE-2019-0708 has been detected. The vulnerability, dubbed BlueKeep, is a heap memory corruption which can be triggered by sending a specially crafted Remote Desktop Protocol (RDP) request. Since this vulnerability can be triggered without authentication and allows remote code execution, it can be used by worms to spread automatically without human interaction.
Atom Bombing code injection technique detected - (795)
A process created a suspicious Atom, which is indicative of a known process injection technique called Atom Bombing. Atoms are Windows identifiers that associate a string with a 16-bit integer. These Atoms are accessible across processes when placed in the global Atom table. Malware exploits this by placing shell code as a global Atom, then accessing it through an Asynchronous Process Call (APC). A target process runs the APC function, which loads and runs the shellcode. The malware family Dridex is known to use Atom Bombing, but other threats may leverage it as well.
Excessively long PowerShell command detected - (576)
A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.
Process hollowing detected - (288)
Process hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead.
Kovter injection detected - (264)
A process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns.
Gamarue malware detected - (193)
Gamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system.
Installcore adware detected - (90)
Install core is an installer which bundles legitimate applications with offers for additional third-party applications that may be unwanted. The unwanted applications are often adware that display advertising in the form of popups or by injecting into browsers and adding or altering advertisements on webpages. Adware is known to sometimes download and install malware.
Dealply adware detected - (61)
DealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware.
Reverse tcp payload detected - (13)
An exploit payload intended to connect back to an attacker controlled host using tcp has been detected.
WinExec payload detected - (13)
An exploit payload intended to execute commands on an attacker controlled host using WinExec has been detected.
Related
